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We claim: 



1 . A method for generating a configuration file for at least one firewall in a network, 

said network including a plurality of hosts, said method comprising the steps of: 

receiving a definitioi for a plurality of roles that specify the ability of a host to 

send and receive packets; 

receiving an assignment of said roles to said hosts in said network; and 
generating rules for said hosts based on said assigned roles, said rules determining 

whether a packet is passed to a destination host. 



2. The method of claim|l, wherein a configuration file is generated for a plurality of 
firewalls in said network. 

3. The method of claiml 1, wherein a security policy for said network is expressed in 
terms of said roles defining network) capabilities of sending and receiving services. 

4. The method of clairfi 1, wherein a plurality of said roles are combined into role- 
groups that may be assigned to one/ or more hosts. 



5. The method of claim 1, wherein a plurality of said hosts are combined into a host- 

group that may be assigned a role/ or a role-group. 



6. The method of 

representation of the structure oif said 



claim 1, further comprising the step of providing a visual 
id hosts in said network. 



7. The method of 

representation of a set of rules in 



claim 1, further comprising the step of providing a visual 
said configuration file. 
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8. The method^fclaim 1, wherein said generating step is performed by a vendor- 
specific compilerjjiafproduces a vendor-specific firewall configuration file. 

9. A method for generating a configuration file for at least one firewall in a network, 
said network including a plurality of interconnected hosts, said method comprising the steps of: 

utilizing a model definition language to produce an entity relationship model 
representing a security policy for said network; and 

translating said entity relationship model into said firewall configuration file. 

10. The method of claim 9, wherein a configuration file is generated for a plurality of 
firewalls in said network. 



11. 



The method of claim 9, wnerein said security policy is expressed in terms of roles 



that define network capabilities of sending and rc^eivmg services. 

\ 



12. 



The method of claim 1A, wherein said rotes are assigned to said hosts. 



13. The method of claiirf 11, wherein a pluralityof said roles are combined into role- 
groups that may be assigned to a hpst. 

14. The method of cfaim 11, wherein a plurality of said hosts are combined into a 
host-group that may be assignee^ a role or a role-group. 

15. The method off claim 9, further comprising the step of providing a visual 
representation of the structure/ of said hosts in said network. 



16. The method /of claim 9, further comprising the step of providing a visual 

representation of a set of rufes in said configuration file. 
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17. The method of claihi 9, wherein a vendor-specific compiler translates said entity- 

relationship model into a vendor-specific firewall configuration file. 



18. A method of produddng an entity-relationship model representing the security 

5 policy for a network, said network including a plurality of hosts, said method comprising the 
steps of: 

receiving a definition for one or more role entities that further define allowed 
services and a direction in which a service can be executed; 

receiving a model of a topology of said network that partitions said network into 
10 one or more zones, connected by means of one or more gateways, each of said gateways having a 
gateway-interface for each adjacent zone; 

receiving an assignment pf said hosts to ojaeDtmore zones; and 

generating said entity-rplationship njodel from\aid received definitions, model 
and assignments. 



15 



19. 

hosts. 
20. 




The method of claim 1/8, further comprisingXh ? step of assigning said roles to said 



The method of claim 18, further comprising the step of defining one or more role- 



yg 20 group entities consisting of a set of said role entities. 



21. The method of claim 18, further comprising the step of translating said entity 

relationship model into a firewall configuration file. 



25 22. The method off claim 21, wherein said configuration file is are generated for a 

plurality of firewalls in said network. 



23. 



The method o 



claim 18, wherein said security policy is expressed in terms of 



roles that define network capabilities of sending and receiving services. 
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24. The method of claim 1 8, wherein a plurality of 

a role-group that may be assigned to a host. 



role entities are combined into 



5 25. The method of claim 18, whererfi a plurality of said hosts are combined into a 

host-group that may be assigned a role or a^ole-group entity. 



10 



26. The method of d#fm 18, further /comprising the step of providing a visual 

representation of the structureXH said hosts in said network 



27. The rp&hod of claim 21, further comprising the step of providing a visual 

representation ofjf set of rules in said configuration files. 



28. / The method of claim 18, wherein a vendor-specific compiler translates said entity- 
« 15 relationship model into vendor-specific firewall configuration files. 

p 29. A method of generating a security policy for a network, said network including a 

j7« plurality of hosts, said method comprising the steps of: 

*B receiving a definition for a plurality of roles that specify the ability of a host to 

yg 20 send and receive packets 

receiving an assignment of said roles to said hosts in said network; and 
generating said seourity policy from said received definitions and assignments. 



30. The method of cflaim 29, further comprising the step of translating said security 

25 policy into at least one configuration file for a firewall on said network. 



31. The method 6f claim 30, wherein said configuration files are generated for a 

plurality of firewalls in said network. 
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32. The method of claim 29, wherein a plurality of said roles are combined into a 
role-group that may be assigned tf a host. 

33. The method of clkim 29, wherein a plurality of said hosts are combined into a 
host-group that may be assigned Ja role or role-groups. 

34. The method of /claim 29, further comprising the step of providing a visual 
representation of the structure <}f said hosts in said network. 

35. A compiler fof generating a configuration file for a firewall in a network, said 
network including a plurality/of hosts, comprising: 

a memory fon storing computer-readable code; and 

a processor operatively coupled to said memory, said processor configured to 
execute said computer-readable code, said computer-readable code configuring said processor to: 

receive a definition for a plurality of roles that specify the ability of a host to send 
and receive packets; 

receive arf assignment of said roles to said hosts in said network; and 

generate /rules for said hosts based on said assigned roles, said rules determining 
whether a packet is passed to a destination host. 



36. 



A firewall manager for gepsrafiHg a configuration file for a firewall in a network, 



said network including a pluralitv^efmterconnected hosts, comprising: 

a parser utili^figa model de^m^n language to produce an entity relationship 
model representing astfcurity policy for said network; and 



5ompiler for translating said entity relationship model into said firewall 



configuratkm file. 



37. A parser for prpducing/an entity-relationship model representing the security 

policy for a network, said j^dfwork includmgji plurality of hosts, said parser comprising: 
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a memory for storing computer-readable code* 
a processor operatively coupled to s^^memory, said processor configured to 
execute said computer-readable code, said computer-readable code configuring said processor to: 
receive a definition for on^ov more role entities that further define allowed 
services and a direction in which a sep/ice can be executed;, 

receive a modelpf a topology of said nejftvork jfy partitioning said network into 
one or more zones, connected by means of one or more ^ate^ays^aeh-ef said gateways having a 
gateway-interface foj^ach adjacent zone; 

iceive an assignment of said hosts to one or more zones; and 
generate said entity-relationship model from said received definitions, model and 

assignments. 




plurality of hosts, said system comprising: 



A system for ger erating a security policy for a network, said network including a 



a memory for staring computer-readable code; and 



a processor op 
execute said computer-readable 



atively coupled to said memory, said processor configured to 
code, said computer-readable code configuring said processor to: 
receive a definition for a plurality of roles that specify the ability of a host to send 
and receive packets; 

receive an assigbment of roles to said hosts in said network; and 
generate said security policy from said received definitions and assignments. 
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